There are some more serious security
implications with your choice of tools (e.g., injections). Far from the
definitive word, these are hotly debated, demonstrated, and refuted. Here
are a couple of blog articles that you should research and consider re PHP:
- PHP Insecurity: Failure of Leadership (http://www.greebo.net/?p=320)
- PHP Security: Dumb Users or Dumb APIs? (http://www.sitepoint.com/blogs/2006/01/24/php-security-dumb-users-or-dumb-apis/)
This is from last year’s Blackhat,
but it’s fairly new and still relevant:
- Beefed up OWASP 2.0 introduced at
BlackHat (http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci443,00.html)
and (http://www.owasp.org/index.php/Main_Page)
How to harden this? It’s a
moving target. PHP6? Until it is released and then I’ll say
PHP7… ;-)
The key is that if you don’t *really*
have to be web-accessible, then don’t.
Steve
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oscar Schultz
Sent: Friday, August 18, 2006 5:48
PM
To: [EMAIL PROTECTED]; LDS Open Source Software
Subject: Re: [Ldsoss] Scout
Tracking
you ever get the table definitions done as SQL?
Hello list,
Between scout camp, yw camp and family reunions I done some but
not as much as I wanted to the tracker.
Below is what I currently have
The question for the list is how to make the user interface
secure.
The tools I have selected are mysql, php5, pear, apache2, and
linux as the base os.
The application will run as a web server (server side code rather
than _javascript_) and will require cookies.
I have been reading about cross-side script attacks (xss). xss
looks to be a serious problem since it uses man in the middle to steal cookies.
Anyone have some ideas how to harden a web application so I can
avoid design problems upfront.
thanks
oscar
create database tracker;
grant create,alter,select,insert,update,delete on tracker.* to
[EMAIL PROTECTED]
use tracker;
#the table to record personal information
create table people (
record_id int(32) unsigned auto_increment,
firstname varchar
(30) not null default '',
middlename varchar
(30) not null default '',
lastname varchar
(30) not null default '',
preferredname varchar
(30) not null default '',
gender varchar
(1),
birthdate varchar
(2),
birthmonth varchar
(3),
birthyear varchar
(4),
emergency_passphrase varchar
(30),
date
);
# the table to record personal address information
# 1 people record to many address record relationship
create table address (
record_id int(32)
unsigned auto_increment,
people_record_id int(32)
unsigned auto_increment,
address1 varchar
(40),
address2 varchar
(40),
city varchar (40),
county
varchar
(40),
state varchar (40),
zipcode varchar (9),
type varchar (10), # (primary, secondary, mailbox, residence,
shipping, other, unknown)
date ?
);
# the table to record personal phone information
# 1 people record to many phone record relationship
create table phone (
record_id int (32) unsigned auto_increment,
people_record_id int(32) unsigned auto_increment,
type varchar (10), # (personal cell, home, business, home2,
business cell)
area_code varchar (3),
number varchar (7),
extension varchar (7).
date ?.
);
# a table to record emergency contacts
# 1 personal to many personal relationship
create table emergency_contact
record_id int (32) unsigned auto_increment,
people_record_id int (32) unsigned, #(participate)
people_record_id int (32) unsigned, #(emergency contact)
relationship varchar (32), # string
date ?
);
# the authorization table to control access via the
# web interface
create table auth (
record_id int (32) unsigned auto_increment,
fname, #first_name
mname, #middle_name
lname, #last_name
userid,
password,
password2,
auth_level,
email,
password_start_date,
password_status,
date ?
);
# a table to record the high level in the hierarchy
# of the award requirement, subrequirement chain
create table awards (
record_id int (32) unsigned auto_increment,
name varchar (128), #the name of the award
org_group int (32) unsigned, # link to the group record
max_age int (2) unsigned, # max age the award can be obtained
min_age int (2) unsigned, # minimum age for award
date ?
);
# a table to record each completed award
# many awards to 1 people relationship
create table completed_awards (
record_id int (32) unsigned auto_increment,
people_record_id int (32) unsigned auto_increment,
award_record_id int (32) unsigned auto_increment,
date_completed varchar (9), #ddmmm
);
# a table to record which image file relates to which person
# each file is a scanned image of the medical form
create table medical_form (
record_id int (32) unsigned auto_increment,
people_record_id int (32) unsigned auto_increment,
image_record_id int (32) unsigned auto_increment,
date ?
);
# a table to record which image file related to which person
# and